pkg:Bitnami/discourse

所有已知漏洞

• CRITICAL9.9CVE-2025-68662FinalDestination hostname matching allows SSRF protection bypass
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• CRITICAL9.8CVE-2021-41163RCE via malicious SNS subscription payload
  from 0, < 2.7.9
• CRITICAL9.8CVE-2023-47121Discourse SSRF vulnerability in Embedding
  from 0, < 3.2.0
• CRITICAL9.1CVE-2024-49765Bypass of Discourse Connect using other login paths if enabled in Discourse
  from 0, < 3.3.3
• HIGH8.8CVE-2022-21684User can bypass approval when invited to Discourse
  from 0, < 2.7.13
• HIGH8.8CVE-2022-39356Discourse user account takeover via email and invite link
  from 0, < 2.8.10
• HIGH8.2CVE-2026-31805Discourse has a poll authorization bypass via post_id array parameter
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• HIGH8.2CVE-2024-55948Anonymous cache poisoning via XHR requests in Discourse
  from 0, < 3.3.2
• HIGH8.2CVE-2025-23023Anonymous cache poisoning via request headers in Discourse
  from 0, < 3.3.2
• HIGH8.2CVE-2024-45051Bypass of email address validation via encoded email addresses in Discourse
  from 0, < 3.3.2
• HIGH8.2CVE-2024-47773Anonymous cache poisoning via XHR requests in Discourse
  from 0, < 3.3.2
• HIGH8.1CVE-2022-46177Discourse password reset link can lead to in account takeover if user changes to a new email
  from 0, < 2.8.14
• HIGH8.1CVE-2023-28112Discourse's SSRF protection missing for some FastImage requests
  from 0, < 3.1.0
• HIGH7.5CVE-2026-26265Discourse has IDOR vulnerability in the directory items endpoint
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• HIGH7.5CVE-2026-26078Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• HIGH7.5CVE-2024-37299Discourse vulnerable to DoS via Tag Group
  from 0, < 3.2.5
• HIGH7.5CVE-2024-35227Discourse vulnerable to DoS through Onebox
  from 0, < 3.2.3
• HIGH7.5CVE-2024-24827No rate limits on POST /uploads endpoint in Discourse
  from 0, < 3.2.1
• HIGH7.5CVE-2024-28242Disclosure of the existence of secret categories with custom backgrounds in Discourse
  from 0, < 3.2.1
• HIGH7.5CVE-2021-3138In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
  from 0, <= 2.6.0
• HIGH7.5CVE-2021-37693Re-use of email tokens in Discourse
  from 0, < 2.7.8
• HIGH7.5CVE-2022-31184Email activation route can be abused by spammers in Discourse
  from 0, <= 2.8.6
• HIGH7.5CVE-2023-23621Discourse vulnerable to ReDoS in user agent parsing
  from 0, < 3.0.1
• HIGH7.5CVE-2023-28111Discourse vulnerable to SSRF protection bypass possible with IPv4-mapped IPv6 addresses
  from 0, < 3.1.0
• HIGH7.5CVE-2023-38684Discourse vulnerable to ossible DDoS due to unbounded limits in various controller actions
  from 0, < 3.0.6
• HIGH7.5CVE-2023-44388Malicious requests can fill up the log files resulting in a deinal of service in Discourse
  from 0, <= 3.1.1
• HIGH7.5CVE-2023-45131Unauthenticated access to new private chat messages in Discourse
  from 0, <= 3.1.1
• HIGH7.5CVE-2023-47120Discourse DoS through Onebox favicon URL
  >= 3.1.0, < 3.1.3
• HIGH7.5CVE-2023-48297Discourse vulnerable to unlimited mentioned users in message serializer
  from 0, < 3.1.4
• HIGH7.2CVE-2022-36066Discourse vulnerable to RCE via admins uploading maliciously zipped file
  from 0, < 2.8.9
• HIGH7.2CVE-2022-37458Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate.
  from 0, < 2.8.8
• MEDIUM6.8CVE-2021-43850Denial of Service in discourse
  from 0, < 2.7.12
• MEDIUM6.8CVE-2023-37467Discourse is an open source discussion platform.
  >= 1.1.0-beta1, <= 1.1.0-beta1, >= 1.1.0-beta2, <= 1.1.0-beta2, >= 1.1.0-beta3, <= 1.1.0-beta3, >= 1.1.0-beta4, <= 1.1.0-beta4, >= 1.1.0-beta5, <= 1.1.0-beta5, >= 1.1.0-beta6, <= 1.1.0-beta6, >= 1.1.0-beta6b, <= 1.1.0-beta6b, >= 1.1.0-beta7, <= 1.1.0-beta7, >= 1.1.0-beta8, <= 1.1.0-beta8, >= 1.2.0-beta1, <= 1.2.0-beta1, >= 1.2.0-beta2, <= 1.2.0-beta2, >= 1.2.0-beta3, <= 1.2.0-beta3, >= 1.2.0-beta4, <= 1.2.0-beta4, >= 1.2.0-beta5, <= 1.2.0-beta5, >= 1.2.0-beta6, <= 1.2.0-beta6, >= 1.2.0-beta7, <= 1.2.0-beta7, >= 1.2.0-beta8, <= 1.2.0-beta8, >= 1.2.0-beta9, <= 1.2.0-beta9, >= 1.3.0-beta1, <= 1.3.0-beta1, >= 1.3.0-beta10, <= 1.3.0-beta10, >= 1.3.0-beta11, <= 1.3.0-beta11, >= 1.3.0-beta2, <= 1.3.0-beta2, >= 1.3.0-beta3, <= 1.3.0-beta3, >= 1.3.0-beta4, <= 1.3.0-beta4, >= 1.3.0-beta5, <= 1.3.0-beta5, >= 1.3.0-beta6, <= 1.3.0-beta6, >= 1.3.0-beta7, <= 1.3.0-beta7, >= 1.3.0-beta8, <= 1.3.0-beta8, >= 1.3.0-beta9, <= 1.3.0-beta9, >= 1.4.0-beta1, <= 1.4.0-beta1, >= 1.4.0-beta10, <= 1.4.0-beta10, >= 1.4.0-beta11, <= 1.4.0-beta11, >= 1.4.0-beta12, <= 1.4.0-beta12, >= 1.4.0-beta2, <= 1.4.0-beta2, >= 1.4.0-beta3, <= 1.4.0-beta3, >= 1.4.0-beta4, <= 1.4.0-beta4, >= 1.4.0-beta5, <= 1.4.0-beta5, >= 1.4.0-beta6, <= 1.4.0-beta6, >= 1.4.0-beta7, <= 1.4.0-beta7, >= 1.4.0-beta8, <= 1.4.0-beta8, >= 1.4.0-beta9, <= 1.4.0-beta9, >= 1.5.0-beta1, <= 1.5.0-beta1, >= 1.5.0-beta10, <= 1.5.0-beta10, >= 1.5.0-beta11, <= 1.5.0-beta11, >= 1.5.0-beta12, <= 1.5.0-beta12, >= 1.5.0-beta13, <= 1.5.0-beta13, >= 1.5.0-beta13b, <= 1.5.0-beta13b, >= 1.5.0-beta14, <= 1.5.0-beta14, >= 1.5.0-beta2, <= 1.5.0-beta2, >= 1.5.0-beta3, <= 1.5.0-beta3, >= 1.5.0-beta4, <= 1.5.0-beta4, >= 1.5.0-beta5, <= 1.5.0-beta5, >= 1.5.0-beta6, <= 1.5.0-beta6, >= 1.5.0-beta7, <= 1.5.0-beta7, >= 1.5.0-beta8, <= 1.5.0-beta8, >= 1.5.0-beta9, <= 1.5.0-beta9, >= 1.6.0-beta1, <= 1.6.0-beta1, >= 1.6.0-beta10, <= 1.6.0-beta10, >= 1.6.0-beta11, <= 1.6.0-beta11, >= 1.6.0-beta12, <= 1.6.0-beta12, >= 1.6.0-beta2, <= 1.6.0-beta2, >= 1.6.0-beta3, <= 1.6.0-beta3, >= 1.6.0-beta4, <= 1.6.0-beta4, >= 1.6.0-beta5, <= 1.6.0-beta5, >= 1.6.0-beta6, <= 1.6.0-beta6, >= 1.6.0-beta7, <= 1.6.0-beta7, >= 1.6.0-beta8, <= 1.6.0-beta8, >= 1.6.0-beta9, <= 1.6.0-beta9, >= 1.7.0-beta1, <= 1.7.0-beta1, >= 1.7.0-beta10, <= 1.7.0-beta10, >= 1.7.0-beta11, <= 1.7.0-beta11, >= 1.7.0-beta2, <= 1.7.0-beta2, >= 1.7.0-beta3, <= 1.7.0-beta3, >= 1.7.0-beta4, <= 1.7.0-beta4, >= 1.7.0-beta5, <= 1.7.0-beta5, >= 1.7.0-beta6, <= 1.7.0-beta6, >= 1.7.0-beta7, <= 1.7.0-beta7, >= 1.7.0-beta8, <= 1.7.0-beta8, >= 1.7.0-beta9, <= 1.7.0-beta9, >= 1.8.0-beta1, <= 1.8.0-beta1, >= 1.8.0-beta10, <= 1.8.0-beta10, >= 1.8.0-beta11, <= 1.8.0-beta11, >= 1.8.0-beta12, <= 1.8.0-beta12, >= 1.8.0-beta13, <= 1.8.0-beta13, >= 1.8.0-beta2, <= 1.8.0-beta2, >= 1.8.0-beta3, <= 1.8.0-beta3, >= 1.8.0-beta4, <= 1.8.0-beta4, >= 1.8.0-beta5, <= 1.8.0-beta5, >= 1.8.0-beta6, <= 1.8.0-beta6, >= 1.8.0-beta7, <= 1.8.0-beta7, >= 1.8.0-beta8, <= 1.8.0-beta8, >= 1.8.0-beta9, <= 1.8.0-beta9, >= 1.9.0-beta1, <= 1.9.0-beta1, >= 1.9.0-beta10, <= 1.9.0-beta10, >= 1.9.0-beta11, <= 1.9.0-beta11, >= 1.9.0-beta12, <= 1.9.0-beta12, >= 1.9.0-beta13, <= 1.9.0-beta13, >= 1.9.0-beta14, <= 1.9.0-beta14, >= 1.9.0-beta15, <= 1.9.0-beta15, >= 1.9.0-beta16, <= 1.9.0-beta16, >= 1.9.0-beta17, <= 1.9.0-beta17, >= 1.9.0-beta2, <= 1.9.0-beta2, >= 1.9.0-beta3, <= 1.9.0-beta3, >= 1.9.0-beta4, <= 1.9.0-beta4, >= 1.9.0-beta5, <= 1.9.0-beta5, >= 1.9.0-beta6, <= 1.9.0-beta6, >= 1.9.0-beta7, <= 1.9.0-beta7, >= 1.9.0-beta8, <= 1.9.0-beta8, >= 1.9.0-beta9, <= 1.9.0-beta9, >= 2.0.0-beta1, <= 2.0.0-beta1, >= 2.0.0-beta10, <= 2.0.0-beta10, >= 2.0.0-beta2, <= 2.0.0-beta2, >= 2.0.0-beta3, <= 2.0.0-beta3, >= 2.0.0-beta4, <= 2.0.0-beta4, >= 2.0.0-beta5, <= 2.0.0-beta5, >= 2.0.0-beta6, <= 2.0.0-beta6, >= 2.0.0-beta7, <= 2.0.0-beta7, >= 2.0.0-beta8, <= 2.0.0-beta8, >= 2.0.0-beta9, <= 2.0.0-beta9, >= 2.1.0-beta1, <= 2.1.0-beta1, >= 2.1.0-beta2, <= 2.1.0-beta2, >= 2.1.0-beta3, <= 2.1.0-beta3, >= 2.1.0-beta4, <= 2.1.0-beta4, >= 2.1.0-beta5, <= 2.1.0-beta5, >= 2.1.0-beta6, <= 2.1.0-beta6, >= 2.2.0-beta1, <= 2.2.0-beta1, >= 2.2.0-beta10, <= 2.2.0-beta10, >= 2.2.0-beta2, <= 2.2.0-beta2, >= 2.2.0-beta3, <= 2.2.0-beta3, >= 2.2.0-beta4, <= 2.2.0-beta4, >= 2.2.0-beta5, <= 2.2.0-beta5, >= 2.2.0-beta6, <= 2.2.0-beta6, >= 2.2.0-beta7, <= 2.2.0-beta7, >= 2.2.0-beta8, <= 2.2.0-beta8, >= 2.2.0-beta9, <= 2.2.0-beta9, >= 2.3.0-beta1, <= 2.3.0-beta1, >= 2.3.0-beta10, <= 2.3.0-beta10, >= 2.3.0-beta11, <= 2.3.0-beta11, >= 2.3.0-beta2, <= 2.3.0-beta2, >= 2.3.0-beta3, <= 2.3.0-beta3, >= 2.3.0-beta4, <= 2.3.0-beta4, >= 2.3.0-beta5, <= 2.3.0-beta5, >= 2.3.0-beta6, <= 2.3.0-beta6, >= 2.3.0-beta7, <= 2.3.0-beta7, >= 2.3.0-beta8, <= 2.3.0-beta8, >= 2.3.0-beta9, <= 2.3.0-beta9, >= 2.4.0-beta1, <= 2.4.0-beta1, >= 2.4.0-beta10, <= 2.4.0-beta10, >= 2.4.0-beta11, <= 2.4.0-beta11, >= 2.4.0-beta2, <= 2.4.0-beta2, >= 2.4.0-beta3, <= 2.4.0-beta3, >= 2.4.0-beta4, <= 2.4.0-beta4, >= 2.4.0-beta5, <= 2.4.0-beta5, >= 2.4.0-beta6, <= 2.4.0-beta6, >= 2.4.0-beta7, <= 2.4.0-beta7, >= 2.4.0-beta8, <= 2.4.0-beta8, >= 2.4.0-beta9, <= 2.4.0-beta9, >= 2.5.0-beta1, <= 2.5.0-beta1, >= 2.5.0-beta2, <= 2.5.0-beta2, >= 2.5.0-beta3, <= 2.5.0-beta3, >= 2.5.0-beta4, <= 2.5.0-beta4, >= 2.5.0-beta5, <= 2.5.0-beta5, >= 2.5.0-beta6, <= 2.5.0-beta6, >= 2.5.0-beta7, <= 2.5.0-beta7, >= 2.6.0-beta1, <= 2.6.0-beta1, >= 2.6.0-beta2, <= 2.6.0-beta2, >= 2.6.0-beta3, <= 2.6.0-beta3, >= 2.6.0-beta4, <= 2.6.0-beta4, >= 2.6.0-beta5, <= 2.6.0-beta5, >= 2.6.0-beta6, <= 2.6.0-beta6, >= 2.7.0-beta1, <= 2.7.0-beta1, >= 2.7.0-beta2, <= 2.7.0-beta2, >= 2.7.0-beta3, <= 2.7.0-beta3, >= 2.7.0-beta4, <= 2.7.0-beta4, >= 2.7.0-beta5, <= 2.7.0-beta5, >= 2.7.0-beta6, <= 2.7.0-beta6, >= 2.7.0-beta7, <= 2.7.0-beta7, >= 2.7.0-beta8, <= 2.7.0-beta8, >= 2.7.0-beta9, <= 2.7.0-beta9, >= 2.8.0-beta1, <= 2.8.0-beta1, >= 2.8.0-beta10, <= 2.8.0-beta10, >= 2.8.0-beta11, <= 2.8.0-beta11, >= 2.8.0-beta2, <= 2.8.0-beta2, >= 2.8.0-beta3, <= 2.8.0-beta3, >= 2.8.0-beta4, <= 2.8.0-beta4, >= 2.8.0-beta5, <= 2.8.0-beta5, >= 2.8.0-beta6, <= 2.8.0-beta6, >= 2.8.0-beta7, <= 2.8.0-beta7, >= 2.8.0-beta8, <= 2.8.0-beta8, >= 2.8.0-beta9, <= 2.8.0-beta9, >= 2.9.0-beta1, <= 2.9.0-beta1, >= 2.9.0-beta10, <= 2.9.0-beta10, >= 2.9.0-beta11, <= 2.9.0-beta11, >= 2.9.0-beta12, <= 2.9.0-beta12, >= 2.9.0-beta13, <= 2.9.0-beta13, >= 2.9.0-beta14, <= 2.9.0-beta14, >= 2.9.0-beta2, <= 2.9.0-beta2, >= 2.9.0-beta3, <= 2.9.0-beta3, >= 2.9.0-beta4, <= 2.9.0-beta4, >= 2.9.0-beta5, <= 2.9.0-beta5, >= 2.9.0-beta6, <= 2.9.0-beta6, >= 2.9.0-beta7, <= 2.9.0-beta7, >= 2.9.0-beta8, <= 2.9.0-beta8, >= 2.9.0-beta9, <= 2.9.0-beta9, >= 3.0.0-beta15, <= 3.0.0-beta15, >= 3.0.0-beta16, <= 3.0.0-beta16, >= 3.1.0-beta1, <= 3.1.0-beta1, >= 3.1.0-beta2, <= 3.1.0-beta2, >= 3.1.0-beta3, <= 3.1.0-beta3, >= 3.1.0-beta5, <= 3.1.0-beta5, >= 3.1.0-beta6, <= 3.1.0-beta6
• MEDIUM6.5CVE-2026-33355Discourse filters whisper posts from private-posts feed
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM6.5CVE-2026-32099Discourse prevents hidden profile data leak via user onebox
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM6.5CVE-2026-26077Discourse doesn't ensure webhooks require a token
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• MEDIUM6.5CVE-2026-24742Discourse staff action logs expose sensitive information to moderators
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM6.5CVE-2026-21865Discourse topic conversion permission vulnerability for moderators
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM6.5CVE-2025-68934Discourse Has Denial of Service (DoS) Vulnerability in Drafts Creation Endpoint
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2026.1.0
• MEDIUM6.5CVE-2024-53851Partial denial of service via inline oneboxes in Discourse
  from 0, < 3.3.3
• MEDIUM6.5CVE-2024-36113Discourse missing authorization checks for suspending admins/moderators
  from 0, < 3.2.3
• MEDIUM6.5CVE-2024-27085Denial of service through invites in Discourse
  from 0, < 3.2.1
• MEDIUM6.5CVE-2024-27100Denial of service via Staff Actions in Discourse
  from 0, < 3.2.1
• MEDIUM6.5CVE-2022-23548Discourse is an option source discussion platform.
  from 0, < 2.8.14
• MEDIUM6.5CVE-2022-23549Discourse vulnerable to bypass of post max_length using HTML comments
  from 0, < 2.8.14
• MEDIUM6.5CVE-2022-23641Denial of Service in Discourse
  from 0, < 2.8.1
• MEDIUM6.5CVE-2022-39232Discourse is an open source discussion platform.
  >= 2.9.0-beta5, <= 2.9.0-beta5, >= 2.9.0-beta6, <= 2.9.0-beta6, >= 2.9.0-beta7, <= 2.9.0-beta7, >= 2.9.0-beta8, <= 2.9.0-beta8, >= 2.9.0-beta9, <= 2.9.0-beta9
• MEDIUM6.5CVE-2022-39385Users erroneously and transparently added to private messages in Discourse
  from 0, < 2.8.10
• MEDIUM6.5CVE-2023-22739Discourse subject to Allocation of Resources Without Limits or Throttling
  from 0, < 3.0.1
• MEDIUM6.5CVE-2023-22740Discourse vulnerable to Allocation of Resources Without Limits via Chat drafts
  from 0, < 3.0.1
• MEDIUM6.5CVE-2023-26040Discourse is an open-source discussion platform.
  >= 3.1.0-beta2, <= 3.1.0-beta2
• MEDIUM6.5CVE-2023-36818Discourse is an open source discussion platform.
  >= 3.1.0-beta5, <= 3.1.0-beta5
• MEDIUM6.5CVE-2023-38498Discourse vulnerable to DoS via defer queue
  from 0, < 3.0.6
• MEDIUM6.5CVE-2023-38706Discourse vulnerable to DoS via drafts
  from 0, < 3.1.1
• MEDIUM6.5CVE-2023-40588Discourse DoS via 2FA and Security Key Names
  from 0, < 3.1.1
• MEDIUM6.5CVE-2023-41042Discourse DoS via remote theme assets
  from 0, < 3.1.1
• MEDIUM6.5CVE-2023-41043Discourse DoS via SvgSprite cache
  from 0, < 3.1.1
• MEDIUM6.1CVE-2025-66488Discourse allows script execution in uploaded HTML/XML files on S3
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM6.1CVE-2025-48954Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow
  from 0, < 3.5.0
• MEDIUM6.1CVE-2025-48062Discourse vulnerable to HTML injection when inviting to topic via email
  from 0, < 3.4.4
• MEDIUM6.1CVE-2024-56328HTMLi(XSS without CSP) via Onebox urls in Discourse
  from 0, < 3.4.0
• MEDIUM6.1CVE-2025-22602Stored DOM-based XSS (without CSP) via video placeholders in Discourse
  from 0, < 3.4.0
• MEDIUM6.1CVE-2024-52794Magnific lightbox susceptible to Cross-site Scripting in Discourse
  from 0, < 3.3.3
• MEDIUM6.1CVE-2024-47772Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse
  from 0, < 3.3.2
• MEDIUM6.1CVE-2024-37165Discourse has an XSS via Onebox system
  from 0, < 3.2.3
• MEDIUM6.1CVE-2024-39320Discourse allows iframe injection though default site setting
  from 0, < 3.2.5
• MEDIUM6.1CVE-2024-35234Discourse vulnerable to stored-dom XSS via Facebook Oneboxes
  from 0, < 3.2.3
• MEDIUM6.1CVE-2021-37633XSS via d-popover and d-html-popover attribute
  from 0, < 2.7.8
• MEDIUM6.1CVE-2021-41095XSS via blocked watched word in error message
  from 0, <= 2.7.7
• MEDIUM6.1CVE-2023-22454Discourse vulnerable to Cross-site Scripting through pending post titles descriptions
  from 0, < 2.8.14
• MEDIUM6.1CVE-2023-22455Discourse vulnerable to Cross-site Scripting through tag descriptions
  from 0, < 2.8.14
• MEDIUM6.1CVE-2023-29196HTML injection via topic embedding in Discourse
  from 0, < 3.1.0
• MEDIUM6.1CVE-2023-36473CSP nonce reuse vulnerability in Discourse
  from 0, < 3.0.5
• MEDIUM6.1CVE-2023-47119HTML injection in oneboxed links
  from 0, < 3.2.0
• MEDIUM6.1CVE-2024-23834Discourse improperly sanitized user input leads to XSS
  from 0, < 3.2.0
• MEDIUM5.9CVE-2024-53991Potential Backup file leaked via Nginx in Discourse
  from 0, < 3.3.3
• MEDIUM5.7CVE-2022-31096Invites restricted to an email or invite links restricted to an email domain may be bypassed by a under certain conditions in Discourse
  from 0, <= 2.8.4
• MEDIUM5.7CVE-2023-25167Regular expression denial of service via installing themes via git in discourse
  from 0, < 3.0.1
• MEDIUM5.5CVE-2026-30888Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint
  from 0, < 2026.3.0
• MEDIUM5.5CVE-2022-23546Discourse vulnerable to private topic leak via email#send_digest
  from 0, < 2.9.0
• MEDIUM5.4CVE-2026-32273Discourse: XSS on category description update via API
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• MEDIUM5.4CVE-2026-33411Discourse's solved topic stream has potential stored XSS in topic title
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM5.4CVE-2026-33410Discourse hardens chat DM channel creation and expansion
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM5.4CVE-2026-33395Discourse has stored click‑based XSS via Graphviz SVG javascript: links
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM5.4CVE-2026-33251Discourse has a Hidden Solved topics permission bypass
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM5.4CVE-2026-27166Discourse vulnerable to HTML injection via prohibited iframe URLs
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM5.4CVE-2026-26207DIscourse's discourse-policy plugin lacks post access check
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• MEDIUM5.4CVE-2025-68933Discourse non-admin moderators can exfiltrate private content via post ownership transfer
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM5.4CVE-2025-67723Discourse vulnerable to stored Cross-site Scripting via Katex in discourse-math plugin
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM5.4CVE-2025-58054Discourse is vulnerable to XSS when quoting chat messages
  from 0, < 3.5.1
• MEDIUM5.4CVE-2024-53266Cross-site Scripting (XSS) via topic titles when CSP disabled in Discourse
  from 0, < 3.3.3
• MEDIUM5.4CVE-2021-32764YouTube Onebox susceptible to XSS
  from 0, <= 2.7.5
• MEDIUM5.4CVE-2021-39161Cross-site scripting via category name in Discourse
  from 0, < 2.7.8
• MEDIUM5.4CVE-2022-46148Discourse allows self-XSS through malicious composer message
  from 0, < 2.8.11
• MEDIUM5.4CVE-2023-22468Discourse vulnerable to Cross-site Scripting in local oneboxes
  from 0, < 2.8.13
• MEDIUM5.4CVE-2023-25172Discourse vulnerable to Cross-site Scripting - user name displayed on post
  from 0, < 3.1.0
• MEDIUM5.4CVE-2023-30538Stored Cross-site Scripting via improper sanitization of svg files in Discourse
  from 0, < 3.1.0 | from 0, <= 3.0.2
• MEDIUM5.4CVE-2023-43659Cross-site Scripting via email preview when CSP disabled in Discourse
  from 0, <= 3.1.1
• MEDIUM5.4CVE-2023-45806Discourse vulnerable to DoS via Regexp Injection in Full Name
  from 0, < 3.2.0
• MEDIUM5.4CVE-2023-46130Bypassing height value allowed in some theme components
  from 0, < 3.2.0
• MEDIUM5.3CVE-2026-32244Discourse: Cached outdated summaries can leak removed content
  from 0, < 2026.1.4, >= 2026.3.0, < 2026.3.1, >= 2026.4.0, < 2026.4.1
• MEDIUM5.3CVE-2026-27454Discourse has check revision visibility on posts endpoint
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM5.3CVE-2025-68659Discourse has DoS vulnerability in username change endpoint
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM5.3CVE-2025-68479Discourse subscriptions are susceptible to takeover
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• MEDIUM5.3CVE-2024-37157Discourse vulnerable to Server-Side Request Forgery via FastImage
  from 0, < 3.2.3
• MEDIUM5.3CVE-2024-24748Disclosure of the existence of secret subcategories in Discourse
  from 0, < 3.2.1
• MEDIUM5.3CVE-2020-24327Server Side Request Forgery (SSRF) vulnerability exists in Discourse 2.3.2 and 2.6 via the email function.
  >= 2.3.2, < 2.3.3, >= 2.6.0, < 2.6.1
• MEDIUM5.3CVE-2021-41271Cache poisoning via maliciously-formed request in discourse
  from 0, <= 2.7.9
• MEDIUM5.3CVE-2021-43794Anonymous user cache poisoning via development-mode header in Discourse
  from 0, < 2.7.11
• MEDIUM5.3CVE-2022-21677Group advanced search option may leak group and group's members visibility
  from 0, <= 2.7.12
• MEDIUM5.3CVE-2022-24804Private group name exposure in discourse
  from 0, < 2.8.3
• MEDIUM5.3CVE-2022-24824Anonymous user cache poisoning in discourse
  from 0, < 2.8.3
• MEDIUM5.3CVE-2022-31025Invite bypasses user approval in Discourse
  from 0, < 2.8.4
• MEDIUM5.3CVE-2022-31060Banner topic data is exposed on login-required Discourse sites
  from 0, < 2.8.4
• MEDIUM5.3CVE-2022-31182Cache poisoning via maliciously-formed request in Discourse
  from 0, < 2.8.7
• MEDIUM5.3CVE-2022-39378Displaying user badges can leak topic titles to users that have no access to the topic
  from 0, < 2.8.9
• MEDIUM5.3CVE-2023-22453Discourse vulnerable to exposure of user post counts per topic to unauthorized users
  from 0, < 2.8.14
• MEDIUM5.3CVE-2023-23615Malicious users in Discourse can create spam topics as any user due to improper access control
  from 0, < 3.0.1
• MEDIUM5.3CVE-2023-23620Discourse restricted tag routes leak topic information
  from 0, < 3.0.1
• MEDIUM5.3CVE-2023-23624Discourse's exclude_tags param could leak which topics had a specific hidden tag
  from 0, < 3.0.1
• MEDIUM5.3CVE-2023-25819Discourse tags with no visibility are leaking into og:article:tag
  from 0, < 3.1.0
• MEDIUM5.3CVE-2023-31142Discourse's general category permissions could be set back to default
  from 0, < 3.0.4
• MEDIUM5.3CVE-2023-32061Discourse Topic Creation Page Allows iFrame Tag without Restrictions
  from 0, < 3.0.4
• MEDIUM5.3CVE-2023-32301Discourse's canonical url not being used for topic embeddings
  from 0, < 3.0.4
• MEDIUM5.3CVE-2023-34250Discourse vulnerable to exposure of number of topics recently created in private categories
  from 0, < 3.0.4
• MEDIUM5.3CVE-2023-44391Prevent unauthorized access to summary details in Discourse
  from 0, <= 3.1.1
• MEDIUM4.9CVE-2024-56197Users can see other user's tagged PMs in Discourse
  from 0, < 3.4.0
• MEDIUM4.9CVE-2024-38360Denial of service via Watched Words in Discourse
  from 0, < 3.2.3
• MEDIUM4.9CVE-2022-39241Possible Server-Side Request Forgery (SSRF) in webhooks
  from 0, < 2.8.10
• MEDIUM4.9CVE-2023-28107Discourse vulnerable to multisite DoS by spamming backups
  from 0, < 3.1.0 | from 0, <= 3.0.1
• MEDIUM4.9CVE-2023-30606Multisite denial of service through unsanitized dynamic dispatch to SiteSetting in Discourse
  from 0, < 3.1.0 | from 0, <= 3.0.1
• MEDIUM4.3CVE-2026-32951Discourse: Authorization bypass in oneboxer via user-controlled category id
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• MEDIUM4.3CVE-2026-32618Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• MEDIUM4.3CVE-2026-33424PM access granted through invites after access revocation
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM4.3CVE-2026-33422Discourse exposes ip_address of flagged user
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM4.3CVE-2026-33393Discourse fixes loose hostname matching in spam host allowlist
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• MEDIUM4.3CVE-2026-26973Discourse doesn't scope reviewable notes to user-visible reviewables
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• MEDIUM4.3CVE-2025-58055Discourse AI Suggestions Contain Insecure Direct Object Reference
  from 0, < 3.5.1
• MEDIUM4.3CVE-2025-24972Discourse may bypass user preference when adding users to chat groups
  from 0, < 3.4.0
• MEDIUM4.3CVE-2024-53994Potential bypass of chat permissions in Discourse
  from 0, < 3.3.3
• MEDIUM4.3CVE-2024-45297Prevent topic list filtering by hidden tags for unauthorized users in Discourse
  from 0, < 3.3.2
• MEDIUM4.3CVE-2024-43789Denial of service by the absence of restrictions on replies to posts in Discourse
  from 0, < 3.3.1
• MEDIUM4.3CVE-2024-36122Discourse doesn't limit reviewable user serializer payload
  from 0, < 3.2.3
• MEDIUM4.3CVE-2021-32788Post creator of a whisper post can be revealed to non-staff users in Discourse
  from 0, < 2.7.7
• MEDIUM4.3CVE-2021-37703Information exposure in Discourse
  from 0, < 2.7.8
• MEDIUM4.3CVE-2021-43792Notifications leak in Discourse
  from 0, < 2.7.11
• MEDIUM4.3CVE-2021-43793Bypass of Poll voting limits in Discourse
  from 0, < 2.7.11
• MEDIUM4.3CVE-2022-21642Exposure of whisper participants in discourse
  from 0, < 2.7.13
• MEDIUM4.3CVE-2022-21678User's bio visible even if profile is restricted in Discourse
  from 0, < 2.7.13
• MEDIUM4.3CVE-2022-24782Secure category names leaked via user activity export in Discourse
  from 0, < 2.8.3
• MEDIUM4.3CVE-2022-24850Category group permissions leaked in Discourse
  from 0, < 2.8.2
• MEDIUM4.3CVE-2022-36068Discourse moderators can edit themes via the API
  from 0, < 2.8.9
• MEDIUM4.3CVE-2022-39226Discourse user profile location and website fields were not sufficiently length-limited
  from 0, < 2.8.9
• MEDIUM4.3CVE-2022-41921Discourse chat messages should have a maximum character limit
  from 0, < 2.9.0
• MEDIUM4.3CVE-2022-41944Discourse users can see notifications for topics they no longer have access to
  from 0, < 2.8.12
• MEDIUM4.3CVE-2022-46150Discourse may allow exposure of hidden tags in the subject of notification emails
  from 0, < 2.8.13
• MEDIUM4.3CVE-2022-46159Any authenticated Discourse user can create an unlisted topic
  from 0, < 2.8.14
• MEDIUM4.3CVE-2023-23616Discourse membership requests lack character limit
  from 0, < 3.0.1
• MEDIUM4.3CVE-2023-23622Discourse: Presence of read restricted topics may be leaked if tagged with a tag that is visible to all users
  from 0, < 3.0.0
• MEDIUM4.3CVE-2023-23935Presence of restricted personal Discourse messages may be leaked if tagged with a tag
  from 0, < 3.0.1
• MEDIUM4.3CVE-2023-36466Topic Title Validation Skipped When Changing Category in Discourse
  from 0, < 3.0.5
• MEDIUM4.3CVE-2023-37906Discourse vulnerable to DoS via post edit reason
  from 0, < 3.0.6
• MEDIUM4.3CVE-2023-38685Discourse's restricted tag information visible to unauthenticated users
  from 0, < 3.0.6
• MEDIUM4.3CVE-2023-49099Discourse secure uploads accessible to guests even when login is required
  from 0, < 3.1.4
• MEDIUM4.3CVE-2024-21655Insufficient control of custom field value sizes
  from 0, < 3.1.4
• LOW3.8CVE-2026-33426Discourse users can edit or synonymize hidden tags they can't see
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• LOW3.7CVE-2023-43814Exposure of poll options and votes to unauthorized users in Discourse
  from 0, <= 3.1.1
• LOW3.5CVE-2022-46168Group SMTP user emails are exposed in CC email header
  from 0, < 2.8.14
• LOW3.3CVE-2023-45816Unread bookmark reminder notifications that the user cannot access can be seen
  from 0, < 3.2.0
• LOW3.1CVE-2025-24808Discourse has race condition when adding users to a group DM
  from 0, < 3.4.0
• LOW3.1CVE-2023-37904Discourse Race Condition in Accept Invite
  from 0, < 3.0.6
• LOW3.1CVE-2023-45147Arbitrary keys can be added to a topic's custom fields by any user in Discourse
  from 0, <= 3.1.1
• LOW2.7CVE-2026-33408Discourse has Improper Authorization in "Post Edits" Report For Moderators
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• LOW2.7CVE-2026-33394Discourse leaks PM post edits to moderators
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• LOW2.7CVE-2024-52589Moderators can view Screened emails even when the “moderators view emails” option is disabled in Discourse
  from 0, < 3.3.3
• LOW2.7CVE-2023-28440Denial of service via admin theme import route in Discourse
  from 0, < 3.0.3
• —CVE-2026-34154Discourse has a subscription access bypass in its discourse-subscriptions plugin
  from 0, < 2026.1.4, >= 2026.3.0, < 2026.3.1, >= 2026.4.0, < 2026.4.1
• —CVE-2026-33514Discourse: Information Disclosure in Form Template API Due to Missing Authorization
  from 0, < 2026.1.4, >= 2026.3.0, < 2026.3.1, >= 2026.4.0, < 2026.4.1
• —CVE-2026-34947Discourse: Staged user custom fields are exposed on public invite pages
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-27481Discourse: Hidden tag visibility bypass on tag routes
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-33415Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-33300Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-33185Discourse: Group SMTP test endpoint susceptible to SSRF
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-33074Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-33073discourse-subscriptions plugin leaking stripe API key in multisite environment
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32620Discourse: Missing post-level authorization allows whisper metadata disclosure
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32619Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32615Discourse: Category group moderators can perform actions on topics in restricted categories without read access
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32607Discourse: Stored XSS via unescaped assignee name
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32243Discourse: Stored XSS in discourse-ai shared conversations onebox
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32143Discourse: Admin-only report can be exported by moderators
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-32113Discourse: Open redirect via `sso_destination_url` cookie in `enter`
  >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
• —CVE-2026-33428Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-33427Discourse Authorization Page Displays Unvalidated Redirect Domain
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-33425Discourse has inferable private group membership or existence via exclude_groups parameter
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-33423Discourse staff can modify any user's group notification level
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-33291Discourse user can create Zendesk tickets even when it does not have access to topic
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-32114Discourse's unscoped status lookups leak restricted metadata
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-31869Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-30891Discourse hasUnauthorized Exposure of Private User Action Types
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-30889Discourse has Unauthorized Post Data Exposure in discourse-user-notes
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-29072Discourse missing permission check for policy creation in discourse-policy
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.4.0
• —CVE-2026-28282Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.4.0
• —CVE-2026-27936Discourse discloses restricted post-action counts to non-privileged users
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.4.0
• —CVE-2026-27935Discourse leaks private topic metadata to non-authorized users
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.4.0
• —CVE-2026-27934Discourse leaks private topic title and post excerpt via user action API endpoint
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-27740Discourse has Stored XSS in AI Triage Automation
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-27570Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-27491Discourse has a bypass of official warnings messages by non-staff users
  >= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
• —CVE-2026-28227Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-28219Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-28218Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27162DIscourse doesn't prevent whispers to leak in excerpts
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27154Discourse has XSS when editing a malicious post
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27153Discourse doesn't prevent moderators from exporting user Chat DMs
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27152DIscourse has DM communication-preference bypass when adding members
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27151Discourse doesn't validate destination topic when moving posts
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27150Discourse doesn't ensure guardian check when creating QueryGroupBookmark
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27149Discourse has SQL injection in PM tag filtering
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-27021Discourse: Poll voters endpoint lacked post visibility checks
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2026-26979Discourse: TL4 users are able to change status of restricted topics
  from 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1
• —CVE-2025-69289Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• —CVE-2025-69218Discourse moderators can access admin-only reports exposing private upload URLs
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• —CVE-2025-68666Discourse users archives leaked to users with moderation privileges
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2026.1.0
• —CVE-2025-68660Discourse AI Discover's continue conversation allows threat actor to impersonate user
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0
• —CVE-2026-23743Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users
  from 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2026.2.0
• —CVE-2025-64528Users are able to find users by name even when `enable_names` is off
  from 0, < 3.5.3, >= 2025.11.0, < 2025.11.1
• —CVE-2025-61598Discourse is missing Cache-Control response header on error responses
  from 0, < 3.6.2
• —CVE-2025-59337Discourse: Cross-Site Data Exposure via Backup Restore Metacommand Injection in Multisite Deployments
  from 0, < 3.5.1
• —CVE-2025-54411Discourse welcome banner user name XSS
  from 0, < 3.5.0
• —CVE-2025-53102Discourse's WebAuthn challenge isn't cleared from user session after authentication
  from 0, < 3.4.7
• —CVE-2025-49845Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers
  from 0, < 3.4.6
• —CVE-2025-48877Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
  from 0, < 3.4.4
• —CVE-2025-48053Discourse vulnerable to DoS via large URL payload in PM to a bot
  from 0, < 3.4.4
• —CVE-2025-32376Discourse DM limits aren’t always properly enforced
  from 0, < 3.4.3